Drupal has released emergency security updates to address a critical vulnerability with known exploits that could allow for arbitrary PHP code execution on some CMS versions.
“According to the regular security release window schedule, November 25th would not typically be a core security window,” Drupal said.
“However, this release is necessary because there are known exploits for one of core’s dependencies and some configurations of Drupal are vulnerable.”
Right now, over 944,000 websites are using vulnerable Drupal versions out of a total of 1,120,941 according to official stats. “These statistics are incomplete; only Drupal websites using the Update Status module are included in the data,” Drupal says.
Drupal is also used by 2.5% of all websites with content management systems, making it the fourth most popular CMS on the Internet, after WordPress (63.8%), Shopify (5.1%), and Joomla (3.6%).